510 likes | 578 Vues
Session 52. Security Architecture – What Does It Mean Katie Blot Nina Colon. Security Architecture - What Does It Mean?.
E N D
Session 52 Security Architecture – What Does It Mean Katie Blot Nina Colon
Security Architecture - What Does It Mean? “What is security architecture and what are the critical functionalities? Learn about Federal Student Aid's security architecture - the what and the why - and how it affects you. Federal Student Aid's security architecture pilot with the eCampus-Based (eCB) system will be discussed as well as our plans for the future, including E-Authentication.”
Agenda • Security Architecture Overview (Katie Blot) • Security Architecture and eCB (Nina Colon) • E-Authentication Overview (Katie Blot)
What is Security Architecture? • Security Architecture uses Tivoli Access Manager (TAM) to enable consistent Authentication, Authorization, and Accountability • Authentication: Who are you? • Authorization: What are you allowed to do? • Accountability: What did you do? • Security Architecture will enable a single unique source of Identity Management throughout Federal Student Aid using Tivoli Identity Manager (TIM) • One user profile per person for all Security Architecture protected applications • Federal Student Aid Security Infrastructure utilizing TIM and TAM provides the best in breed security software products to support the Federal Student Aid Security Architecture
Security Architecture Functions: • Provides consistent security services & configurations across Federal Student Aid systems • Decrease security risks • Improves maintainability of systems • Offloads ad hoc application security from application teams • Gives better service to our customers/partners • Single sign-on for web applications • Simplified registration/approval processing • Delegated administration • Promote enterprise security management • Consolidated security views and reporting • Flexibility to accommodate new or redeployed systems • Lowers security development and operational costs
Security Architecture Conceptual Design Federal Student Aid
Too Many Passwords to Remember Multiple Administrators Access control different by application User information spread throughout the environment Security is an application task Security standards managed by application Single Sign-on for web applications Unified administration Single tool for access control User security information centralized Security is a centralized IT management task Common security standards for all applications Benefits of Tivoli Access Manager After Tivoli Access Manager Before Tivoli Access Manager
Security Architecture Today • Eight applications secured behind Security Architecture • Including Financial Partners DataMart and Experimental Sites • eCB Integration with Security Architecture in Dec 2006 • Registration for existing eCB users available in PC Lab • New users will be able to self-register in December • Federal Student Aid Target State Vision applications are being built with Security Architecture. These applications include: • IPM • ADvance • Portals • Enterprise Service Bus (ESB) • e-Authentication to eCB
Security Architecture – How Is It Easier Than SAIG Enrollment? • All forms will be pre-populated with existing data from the SAIG Enrollment System and verified and updated by individual users. • New users will need to provide all data necessary to create userid and password. • Required data fields will be indicated by an *. • The user must know his or her institution/organization OPEID or correct Institution/organization name. • The Institution/Organization name and location will be displayed so that user can be sure of selecting the right school.
Security Architecture – How Is It Easier Than SAIG Enrollment? • The access rights are pre-defined from pre-loaded data from the SAIG Enrollment System. • Access rights will be rolled over from the prior year. • Rolling the access rights from the prior years will alleviate the need for the Destination Point Administrator (DPA) go back into the Enrollment System to give user access rights to new year.
Change in Registration Process • Starting December 16, 2006 all current user of eCB will need to register with Security Architecture • There will be no issuances of PINs for use with eCB application for Authentication of user • Starting December 16, 2006 Authentication will be only through Security Architecture with a userid and password.
Overview Diagram • Social security number • - First two (2) letters of last name • - Date of birth • - PIN PINN SERVER For Authentication E-Campus Base Authentication Module www.cbfisap.ed.gov Match? (Yes or No) E-Campus Base Application Forwarded to Application after successful Authentication Other Application #1 www.pilot.cbfisap.ed.gov • - User ID • - Password Other Application #2 Security Architecture (SA) Authentication Other Application #3
What Is New? • Registration screens are the same for all parties • DPA • FAA • Third Party Service Providers • Email is sent to registrants’ Supervisors for additional confirmation of user account being created.
eCampus Based Login • Go to eCB home page at the following URL: • www.cbfisap.ed.gov • Click Login • Current eCB users data is preloaded and limited additional information is needed to complete the registration. • You will be referred to the Security Architecture system from eCB login.
Getting Started with Security Architecture • Click on eCB Self Registration to start the registration process.
Getting Started with Security Architecture • To see if you are already in the database we need you to provide the following data (this will only occur the very first time you register): • First Name • Last Name • Date of Birth • Last 4 digits of SSN • Click submit to go to the next screen.
Getting Started with Security Architecture • Pre-populated fields like name, last four digits of SSN, OPEID and School Name can not be updated. • If you are a new user, you will need to provide data in all fields • Indicate if your organization is a Service Provider.
Getting Started with Security Architecture • Your demographic information has been pre-populated. We have carried over your information from the SAIG Participation Management System. • Please verify that the information provided is still correct. • If the information is incorrect in our system,please make necessary updates during the registration process. • Fields such as address and email can be updated.
Getting Started with Security Architecture • On each screen within the registration process, it will be necessary to verify that we have loaded the correct data. • Provide a password that only you will know. This will be part of your login for eCB.
Getting Started with Security Architecture • Fly over help text has been added to certain fields to the registration screens for clarification of the information being requested.
Getting Started with Security Architecture • Security Architecture is requiring the Supervisor contact information so we can send an email for approval for all users that request a user id and password. • If you are a Financial Aid Administrator or Service Provider self registering, please provide the Destination Point Administrator’s contact information for email to be sent for approval of access rights to eCB.
Getting Started with Security Architecture • You can either search for your organization information by name or OPEID Code. • If your information is pre-populated, please just verify that your organization information is correct.
Getting Started with Security Architecture • You will be asked to confirm the registration information that either has been pre-populated in the system or that you have entered on each screen.
eCB Access Rights • Please verify your access right by year. If you have the same access as the DPA you will select same as DPA. The Access rights are as follows: • Read • Read/Write/Submit • DRAP Access Only
Access Rights for Multiple Schools • If you are a Service Provider with more than 1 campus or Institution please register complete access rights for each OPEID and access for each cycle year.
Access Rights • If you are a DPA or Service Provider with more than 1 campus or Institution, please register complete access rights for each OPEID.
Access Rights • Shows how many schools remaining to setup access rights for. Message on screen indicates how many schools you will be registering access for. Once you select the School, you need to identify your role and access rights. • If you have multiple schools, you will need to complete the access rights for each School you are associated with
Access Rights for Multiple Schools • If you are a DPA or Service Provider with more than 1 campus or Institution, please register complete access rights for each OPEID and access for each cycle year.
Registration Confirmation • Submission Confirmation of your Registration for userid and password.
e-Mail Notification of Account • Once your registration has been submitted, you will receive an email with your userid. You will not get the password in an email. • Sample e-mail text : Subject Line: DEV: Your eCB account has been approved. Your eCB account has been approved. Your userid will be ecb.testuser
What Next? • After your initial registration, you will go to www.cbfisap.ed.gov and click “login” • You will be directed to the Security Architecture Screen to provide your userid and password. • You will no longer need to provide your SSN, DOB, First 2 letter of last name or PIN. • We will verify you are in the database and then pass your access rights back to eCB and you will continue to work in the application.
What is E-Authentication? • It is about authenticating identity credentials…but the set of identity credentials is expanded…to include other externalelectronic credentials. • For Federal Student Aid business systems… you could use your school credential to access our systems instead of the ones we provide. • For other Federal Agency business systems…you could do the same thing.
How Could This Happen? • Approach this as an enterprise initiative. In this case, the enterprise is the federal government. • Get executive sponsorship. Federal agencies are participating as part of the Presidential Management Agenda (PMA) eGov initiative. • Establish the standards, governance agreements and technology that build a “circle of trust”.
Future Model for Federations of Trust EDUCAUSE Higher Education Bridge Certificate Authority Univ. of CA Ohio Univ. Dartmouth NSF Cornell Penn State E-Authentication Federation Univ. of CA InCommon DOE Dartmouth Cornell GSA HHS Penn State ED Sallie Mae NCHELP Meteor American Education Services (AES) Student Loan Finance Association Texas Guaranteed Student Loan Corporation
Security Architecture and E-Authentication Federal Student Aid Credential Service Providers Non-Federal Student Aid Credential E-Authentication
When Does This Happen? eCB Integrated into Security Architecture Dec 2006 Security Architecture Developed Jun 2005 Jan 2007 E-Auth Architecture Developed Spring 2007 eCB Integrated into E-Auth Architecture ??? Other Systems